In their recent report, A Practical Guide to Zero Trust Implementation, Forrester recommends that organizations implement privileged identity management (PIM) as one of the foundation steps for adopting Zero Trust. As a PIM vendor, this is a recommendation that we can certainly support. But I can see how some customers may not see the connection between PIM and Zero Trust.
Much of the Zero Trust discussion is focused on network access and software-defined perimeters, so where do PIM technologies fit into this model? I had the opportunity to address this question with one of the lead authors of the report, Merritt Maxim, the Vice President and Research Director of the Security practice at Forrester during a series of web chats on privileged identities.
Here are some highlights from our discussion:
Ensuring Least Privileged Access
One of the three core tenets of Zero Trust is to ensure least privileged access, and there is too much access to data in the typical enterprise today. Merritt pointed out that too many individuals – and especially those who have been with their organizations for a long time – are over-privileged. This is true for regular business users as well as those who have access to privileged accounts.
PIM technologies have been used for years to help reign in access to privileged accounts because these accounts often have elevated, and in some cases, unfettered access to sensitive data and critical infrastructure. This not only makes these dangerous if they were to be compromised by an external hacker, but are often the target of malicious users for this very reason. Additionally, the credentials to these accounts are often shared by multiple users, which increases the risk of compromise.
PIM technologies vault these credentials and force users to positively identify themselves, often using multifactor credentials, before granting access to the privileged accounts. This also addresses another tenet of Zero Trust – Identity Every User and Device Requesting Access. Many privileged accounts do not use multifactor credentials, but protecting access to these credential via a PIM technology allows you to leverage this level of authentication. Furthermore, all activities performed by the user can be monitored and recorded, which helps to quickly identify unusual behavior and provide accountability. This data can also be leveraged by Identity Governance and Administration (IGA) technologies to help determine which privileged accounts users really need to do their jobs. If a user has been given access to an account, but has not accessed that account in six months, maybe that access is not needed and can be removed (i.e., ensuring least privileged posture).
DevOps is one of the current IT trends, and speed and agility is at the heart of this trend. How can we digitally transform our organization? We need to be able to develop and deploy applications faster with greater emphasis on user experience. Security is generally viewed as a speed bump in this process. When everyone is saying go, security says stop, which is why it is so critical that organizations adopting DevOps embed security into this process. In terms of PIM technologies, this needs to occur in two parts of DevOps.
First, we need to remember that privileged accounts are not just accessed by real people. Numerous applications are also given privileged access to sensitive resources and data by embedding associated credentials into scripts or by using a run-time configuration file. This is especially true in more sophisticated IT shops where CI/CD practices are introducing automated processes that see no human intervention at all. These automation tools often leverage hard-coded administrative credentials that are ripe for theft and misuse, often with little to no security protecting them at all. Worse, in many cases, one set of credentials are used to access your cloud infrastructure (i.e., one userid and password is used to access every AWS instance in both development and production environments), which compounds the danger if these credentials are compromised.
Symantec PAM is just one component in the Symantec Zero Trust platform, an integrated cyber defense solution that combines market leading endpoint, network, identity and data security technologies into one integrated platform.
PIM technologies have long provided a capability called App-to-App Password Management (AAPM), which allowed organizations to remove hard-coded passwords from applications, scripts, and files, and instead require these applications to call out to request a privileged password from the PIM solution. Unfortunately, for many organizations, they had already deployed hundreds of applications with hard-coded passwords, and the find and remove these was too costly and too much trouble. So to avoid the negative connotation that was associated with AAPM, vendors and analysts have renamed this capability as “Secrets Management” and have associated it with DevOps to further increase its coolness, but it is essentially the same thing that has existed in many products, including ours, for many years. But maybe we can learn from our past mistakes, and stop embedding passwords, both in our DevOps toolchain and in new applications that are coming off the CI/CD pipeline.
The second part of where PIM technologies intersect DevOps is in securing the apps and underlying infrastructure that is being created. One of the biggest concerns with protecting privileged accounts is “shadow IT”. How can we protect privileged accounts for systems that we do not know about? One option is to continuously run discovery tools and hope you find these new systems; however, in a DevOps world, wouldn’t it be easier to have PIM protection implemented at the same time that a new app is being created? Automatically provisioning the new privileged accounts into the PIM tool so they are protected immediately. This requires two things – training the DevOps teams to include this level of security into the DevOps scripts, and the REST interfaces for privileged task automation within the PIM tool.
PIM Architecture: Proxy, Agent, or Hybrid
Understanding the importance of PIM technologies, not only with Zero Trust and for DevOps, the question than comes to, which PIM architecture to implement – a proxy-based one, an agent-based one, or a combination of the two. Merritt pointed out that a hybrid model may be needed; there is no “one size fits all” solution and different architectures lend themselves best to different problems. For example, we have customers who do not believe that proxy-based solutions address PCI compliance, and therefore, deploy agents on any servers that are storing or processing PCI data. This stance varies from customer to customer, and for this reason a hybrid approach is the best because a single deployment model is just not flexible enough to handle every use case for the digital enterprise.
The Final Tenet of Zero Trust
And this leads us to the final tenet of Zero Trust – assume breach. Zero Trust recognizes the fact that persistent attackers will eventually find the means to breach your defenses. And for this reason, the Zero Trust model assumes that a breach will occur, and that mechanisms need to be in place to minimize the damages from a breach.
There are two mechanisms that PIM technologies provide that help to address this tenet. The first is threat analytics, which monitors all privileged user activities and develops usage and behavior profiles, so that if a hacker manages to compromise a legitimate user’s account, or a legitimate user turns rogue, the system can detect the changes in behavior and immediate initiate mitigating actions. The second has already been mentioned, and that it to integrate the PIM technology with your IGA solution to provide ongoing review and certification of all users with access to privileged accounts and credentials. We call this Privileged Access Governance.
Hopefully, you now understand how PIM technologies help with Zero Trust. So the next question is – do you already have a PIM vendor and if you are happy with them. If the answer is NO to either question, then maybe you might want to consider Symantec PAM.
Symantec, a division of Broadcom (NASDAQ: AVGO), PAM is designed to prevent security breaches and establish Zero Trust by protecting sensitive administrative credentials, controlling privileged user access, proactively enforcing security policies and monitoring and recording privileged user activity across virtual, cloud and physical environments.
Symantec PAM also offers the following competitive differentiators:
- Fast time-to-protection. Quickly deploy the solution as a hardened device or virtual appliance. Easily configure the solution through an easy-to-use console to achieve faster-time-to-protection and reduced implementation costs.
- Enterprise performance and scalability. As one of the most efficient and scalable privileged access management technologies, the solution can handle and record significantly more simultaneous connections than other solutions can. This scalability supports large-scale deployments with minimal infrastructure.
- Automated risk mitigation. The solution monitors all privileged user activity, analyzes it in real-time, and can trigger automatic mitigation actions when unusual behavior is detected. The solution enables an immediate response to potential risks without any human interaction.
- Flexible deployment architecture. The solution supports agent-based and agentless deployment options, which can be used individually or jointly to provide a comprehensive strategy to address privileged access management challenges.
- Total cost of ownership. The solution offers best-in-class total cost of ownership because the solution is quick to deploy, easy-to-use, and scalability. Additionally, the new portfolio license agreement offers flexibility and lower, predictable costs, for your organization.
And finally, Symantec PAM is just one component in the Symantec Zero Trust platform, an integrated cyber defense solution that combines market leading endpoint, network, identity and data security technologies into one integrated platform.
The Symantec Advantage
Funding for IT projects, and especially for new systems where the value may be unfamiliar to business leaders is challenging. Selling a privileged access project is easier from an outcome-oriented perspective as these projects are more focused than general access management projects and provide critical security for the most sensitive systems and data in the company.
New privileged access management systems, such as Symantec Privileged Access Management, that are based on principles of least privilege and zero trust, can play a foundational role in building a Zero Trust organization by allowing customers to:
- Maximize your investment: Symantec PAM combines the benefits of privileged access to new business use cases across the entire enterprise with the lowest cost of ownership.
- Protect hybrid enterprise: Symantec PAM controls privileged access across all IT resources, from cloud to mainframe, and complements Symantec Endpoint and Network Security solutions.
- Address Regulatory Compliance: Symantec PAM provides many of the controls governing privileged access that are mandated by emerging data privacy laws and regulatory and industry compliance mandates.
- Flexible deployment model: Symantec PAM provides the flexible deployment model the modern hybrid enterprise requires with a single solution that can be implemented on-prem, in the cloud, or in a hybrid environment.
When considering a PAM solution, the question is Why Symantec? Why should I consider your solution?
There are four areas that we normally highlight when customers ask us this question:
- Quick Time to Protection
- Enterprise-Class Scalability
- Defense-in-Depth Protection, and
Thank you for your engagement. Please look for more blogs on the subject of privileged access in the future. And feel free to reach out at any time with any questions or to join in the conversation.
We encourage you to share your thoughts on your favorite social platform.